fix(e2e): adopt reusable workflow from .github/main after pnpm support landed (PRI-859)

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>

.github/workflows/e2e.yaml

@@ -18,5 +18,6 @@ jobs:
   e2e:
     uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
     with:
-      node-version: "22"
+      node-version: '22'
       headlamp-version: v0.40.1
+      e2e-namespace: headlamp-dev

package.json

@@ -45,6 +45,7 @@
   "overrides": {
     "tar": "^7.5.11",
     "undici": "^7.24.3",
-    "lodash": ">=4.18.0"
+    "lodash": ">=4.18.0",
+    "elliptic": ">=6.6.1"
   }
 }

scripts/deploy-e2e-headlamp.sh

@@ -60,20 +60,15 @@ kubectl create configmap headlamp-intel-gpu-plugin \
 
 # --- Tear down any existing E2E deployment for a clean start ---
 # Deleting the Deployment forces a fresh pod (new ReplicaSet) regardless of
-# whether the pod spec changed. We do NOT delete the ServiceAccount — keeping
-# it avoids a token-race condition where kubelet tries to mount a volume using a
-# token that has been deleted but the new one isn't ready yet.
-# The Service is NOT deleted — leaving it in place avoids an
+# whether the pod spec changed. The ServiceAccount is also deleted for a clean
+# token state. The Service is NOT deleted — leaving it in place avoids an
 # Endpoints UID race (FailedToUpdateEndpoint) that causes DNS resolution
 # failures. kubectl apply below upserts the Service in-place, and the new
 # pod's IP is added to the existing Endpoints automatically.
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
-# ServiceAccount is kept — create it idempotently so the first run works too
-kubectl create serviceaccount "${E2E_RELEASE}" \
-  -n "$E2E_NAMESPACE" \
-  --dry-run=client -o yaml | kubectl apply -f -
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 
 # --- Deploy Headlamp via kubectl apply ---
 echo ""